ClawHub

100-indicators-analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Prana remote wrapper that forwards user requests and handles Prana API credentials, with sensitive but documented behavior.

Install only if you are comfortable with Prana performing the actual analysis remotely. Avoid sending confidential trading strategies or account details unless Prana is approved for that data, keep config/api_key.txt or config/api_key.json out of version control, prefer environment-provided secrets when possible, and set PRANA_SKILL_NO_AUTO_API_KEY=1 or PRANA_SKILL_SKIP_WRITE_API_KEY=1 if you do not want automatic key creation or plaintext credential storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill metadata declares only a benign technical-analysis purpose, yet the surrounding analysis indicates effective capabilities for environment access, file read/write, and network use without any declared permissions. In an agent ecosystem, undeclared powerful capabilities are dangerous because they can conceal data exfiltration, local persistence of secrets, or remote task execution behind an innocuous description.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This is a significant description-behavior mismatch: the skill is presented as a local indicator-analysis toolkit, but the detected behavior includes contacting a remote Prana API, reading parameters from SKILL.md, packaging user input, polling for remote results, and persisting API keys locally. That mismatch undermines user consent and trust, and materially increases the risk of sensitive prompt/data exfiltration and unauthorized remote execution.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README instructs users and integrators to obtain API keys, store them locally in config files, and send them in an x-api-key header to a remote service. That creates a real credential-handling and secret-exposure risk, especially in shared environments, agent sandboxes, or public repos where config files may be logged, persisted, or accidentally committed. The skill context makes this more concerning because the advertised function is technical indicator analysis, yet the package actually requires authenticated remote execution and local secret management.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The file instructs users to place a Prana public_key and secret_key into the skill configuration, which is unrelated to the declared purpose of a TradingView technical-indicator analysis tool. Embedding or soliciting external service credentials in a mismatched skill expands the skill's effective privilege boundary and creates a strong risk of unauthorized API access, credential misuse, or hidden exfiltration behavior.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This file actively guides the operator to configure external-service API credentials and an optional account identifier, despite the skill being presented as a local technical analysis toolkit. That mismatch makes the skill context more dangerous because users would not reasonably expect network-capable account-bound access, increasing the likelihood of deceptive data access, credential harvesting, or unauthorized calls against a third-party service.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The package metadata advertises local technical-analysis functionality, but this script is actually a thin client that forwards user input to a remote Prana service. That mismatch is security-relevant because users may disclose trading data, prompts, or secrets believing execution is local, when in fact data leaves the host to an external service.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The code can automatically request API credentials from a remote service and later persist them locally, which is unrelated to the advertised indicator-analysis purpose. This expands the trust boundary and creates a credential lifecycle inside a public skill package without clear user awareness, increasing risk of account misuse or secret exposure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script constructs a request to GET /api/v1/api-keys using account, email, or phone information from environment variables, effectively enabling remote account/API-key issuance. For a trading-indicator assistant, this is unexpected functionality and increases the chance of silent account creation or linkage using ambient identity data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
At execution time, the script takes the user-provided message, wraps it with skill parameters, and sends it to a remote endpoint without any explicit warning or confirmation. In this skill context, users may reasonably expect local indicator computation, so silent exfiltration of prompt content to an external service is more dangerous than in a clearly remote SaaS client.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code can auto-fetch credentials using account/email/phone-related environment data and then save the returned secrets to disk by default. This is dangerous because it uses ambient identifiers without a clear user-facing consent boundary and stores credentials in local files that may be leaked, committed, or accessed by other processes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal